Client/Server Runtime Subsystem: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 16:36, 31 March 2018 edit 182.76.219.70 (talk) csrss.exe Tag: references removed ← Previous edit		Latest revision as of 03:21, 10 August 2025 edit undo 178.24.233.232 (talk) tried it on win7 Tags: Mobile edit Mobile web edit
(48 intermediate revisions by 30 users not shown)
Line 1: {{Short description\|Windows NT operating system component}} CSRSS.EXE is a process registered as a trojan . It is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms.[1][2][3] This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter,[4] and it can infect other devices on the same local network.It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. csrss circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks. It became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.This kind of worm can only come from network if the firewall of your home network is not responding to your identity or might expired.This process is a security risk and should be removed from your network.This infection can easily damage any anti virus security on computers and other devices and it can transfer to any device which is connected to the same internet or network.You need a network security firewall in order to protect your identity from this hacking file which can steal your identity and and missuse it for any fraudulent activities with anyone.you should not have this kind of process running in computer and network The '''Client/Server Runtime Subsystem''', or <code>csrss.exe</code>, is a component of the [[Windows NT]] family of [[operating system]]s that provides the [[User space\|user mode]] side of the [[Windows API\|Win32 subsystem]]. In modern versions of Windows, it is primarily involved with process and thread management, [[Win32 console\|console window]] handling, [[side-by-side assembly]] loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to [[kernel mode]] starting with [[Windows NT 4.0]] to improve performance.<ref>{{cite web \|url=https://technet.microsoft.com/en-us/library/cc750820.aspx#XSLTsection124121120120 \|title=The Windows NT 4.0 Kernel mode change \|access-date=2009-01-19 \|work=MS Windows NT Kernel-mode User and GDI White Paper \|publisher=Microsoft }}</ref> CSRSS instances are marked as critical processes, meaning that terminating one will [[blue screen of death\|crash]] the system, if the critical status is removed and one is terminated, the system will freeze. Built-in process management tools in most Windows versions will also refuse to kill instances of CSRSS. Under normal operation, there is a CSRSS instance for each session (two in [[Windows Vista]] and newer, one in earlier versions,<ref>{{cite web \|url=https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx \|title=Inside the Windows Vista Kernel – Startup Processes \|access-date=2010-10-01 \|publisher=Microsoft }}</ref> both assuming there are no active [[Remote Desktop Protocol\|RDP]] connections which spawn extra sessions). == Technical details == CSRSS runs as a user-mode [[Windows service\|system service]]. When a user-mode process calls a function involving console windows, process/thread creation, or [[Side-by-side assembly\|side-by-side]] support, instead of issuing a [[system call]], the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an [[Local Procedure Call\|inter-process call]] to the CSRSS process which does most of the actual work without compromising the kernel.<ref>{{cite web \|url=http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx \|title=Detailed implementation of a system service in Windows NT \|access-date=2010-06-10 \|work=Undocumented Windows NT \|archive-url=https://web.archive.org/web/20110717032622/http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx \|archive-date=2011-07-17 \|url-status=dead }}</ref> Window manager and [[Graphics Device Interface\|GDI]] services are handled by a kernel mode driver (win32k.sys) instead.<ref>{{cite book\|last=Russinovich\|first=Mark\|authorlink=Mark Russinovich\|title=Windows Internals, 5th Edition\|year=2009\|publisher=Microsoft Press\|pages=54}}</ref> CSRSS is called along with <code>winlogon.exe</code> from [[Session Manager Subsystem\|smss.exe]] at Windows start-up. If either of the files is corrupted or otherwise inaccessible, SMSS will tell the kernel to shut down the start-up process with a [[Blue screen of death]].<ref>{{Cite web\|url=https://support.microsoft.com/en-us/help/156669/how-to-troubleshoot-a-stop-0xc000021a-error-in-windows-xp-or-windows-s\|title=How to troubleshoot a "STOP 0xC000021A" error in Windows XP or Windows Server 2003\|website=support.microsoft.com\|access-date=2020-03-15}}</ref> The error code for this fault is 0xc000021a (STATUS_SYSTEM_PROCESS_TERMINATED). In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns <code>conhost.exe</code> subprocesses to draw console windows for command line programs with the permissions of that user. == Malware hoaxes == There are numerous [[virus hoax]]es that claim that csrss.exe is [[malware]] and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe [[Process (computing)\|process]] will result in a system crash in Windows applications. In addition, [[technical support scam]]mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their [[rogue security software]] to remove it.<ref>{{cite web\|url=http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml\|title=Symantec Disavows Business Partner Caught Running a Tech Support Scam\|last=Cimpanu\|first=Catalin\|publisher=[[Softpedia]]\|date=Jan 22, 2016\|access-date=July 29, 2016}}</ref> == See also == * [[List of Microsoft Windows components]] == References == {{Reflist}} == External links == * [https://technet.microsoft.com/en-us/library/bb457123.aspx Troubleshooting the Startup Process (Windows XP Professional Resource Kit)] {{Microsoft Windows components}} {{DEFAULTSORT:Client Server Runtime Subsystem}} [[Category:Windows NT architecture]]